Access to User Profile Attributes Security
Issue

The untrusted application can use the session cookie to obtain
and possibly modify the profile attributes of the user. If the user
has administrative privileges, the application could do much more
damage.

OpenSSO Enterprise Solution

By issuing a restricted SSO token, the set of Session Service
operations that can be performed are limited using these tokens. This
functionality enables OpenSSO Enterprise to prevent applications from
modifying profile attributes of the user. The following figure illustrates
a typical OpenSSO Enterprise deployment within an enterprise. While
the figure illustrates security issues related to cookie hijacking,
the figure also illustrates the solution.